XavierEstevez
Contributor
Contributor

ESXi 5.5 Update 3b (build 3248547) disables SSLv3, older version of vCenter Server can't reconnect host.

My versions:

vCenter Server 5.5 Update 2d | 27 JAN 2015 | Build 2442329

VMware ESXi™ 5.5 Update 3b | 8 DEC 2015 | 3248547

VMware Product Interoperability Matrixes‌ says that vCenter Server 5.5u2 is a valid combo with ESXi 5.5U3.

The patch for ESXi 5.5u3b / build 3248547 disables SSLv3 (to remediate POODLE SSL vulnerability). VMware ESXi 5.5 Update 3b Release Notes

i found that after applying the patch to an ESXi host and rebooting it, vCenter could not reconnect the host.

vCenter server's /var/log/vmware/vpx/vpxd.log:

[timestamp] [[...] error 'HttpConnectionPool-006630'] [ConnectComplete] Connect failed to <cs p:[...], TCP:esxi01.example.com:443>; cnx: (null), error: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:140000DB:SSL routines:SSL routines:short read)

The steps in VMware KB: Enabling SSLv3 protocol on vSphere 5.5 (hostd section) work to un-break the connectivity of vCenter to the updated ESXi host, but of course that re-enables the vulnerable SSLv3, which is undesired.

Is there a way to make ESXi 5.5 3248547 work with VCSA 5.5u2d 2442329, with both sides avoiding SSLv3?

Am I correct to assume that updating VCSA to 5.5u3 will change VCSA's SSL version behavior to work without SSLv3?

Thanks!

10 Replies
XavierEstevez
Contributor
Contributor

A new update to the release notes addresses this issue.

To answer my own questions:

-No, you can't make ESXi 5.5u3b work with earlier vCenter Server versions unless you re-enable SSLv3 in ESXi.

-Yes, updating vCenter Server to 5.5u3b will make it work with ESXi 5.5 u3b without SSLv3.

http://pubs.vmware.com/Release_Notes/en/vsphere/55/vsphere-esxi-55u3b-release-notes.html#miscissues

Darkschneidr
Contributor
Contributor

Thanks for the post, this is the same issue I'm experiencing. Smiley Happy

0 Kudos
nsa1980
Contributor
Contributor

Thanks for the post.  Looks like you answered the question you raised.

I also,  wanted to highlight the content of known issues.@

ESXi55 U3b &amp; VC 55U3b Known Issues

johonetdesign
Contributor
Contributor

Thanks for posting XavierEstevez

I didn't apply the patch for ESXi 5.5u3b / build 3248547 but only the critical security patch KB2135795 (fixes: Updates OpenSSL to openssl-1.0.1p)

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=213579...

Same issue with vCenter not reconnecting to the ESXi host after remediation/reboot and same error messages in vCenter vpxd.log file.

Enabling SSLv3 (Hostd section) in ESXi config.xml also fixed the issue

VMware KB: Enabling SSLv3 protocol on vSphere 5.5

0 Kudos
andreasjva
Contributor
Contributor

Does anyone know if we should take this literally and follow the complete instructions in KB2139396, or just enable it on the host in the first couple of steps?

Workaround: When ESXi is rebooted after remediate process is started, enable SSLv3 on ESXi (which is disabled by default).

This will make sure ESXi gets added to VC inventory automatically in few minutes and Remediation as completed. For more information refer, KB 2139396

I enabled it on the ESXi host, then proceeded with the instructions for everything I could when it made sense.  Specifically talking about modifying configuration files on the server.  It was part of the instructions in KB 2139396, so I tried to follow it to the letter.  After doing it though, I found the client wouldn't connect (server service wouldn't start) at all to anything, and would eventually error out.  I reverted the following back to normal and was able to connect both hosts.  I also noticed an error in the event log in Windows on vpxd.exe.  One host is running the 3248547, and the other is running 3116895.  I hesitate to upgrade the 311 to 324.

VMware Virtual Center Server (vpxd) - Port 443

To enable SSLv3:

  1. Open the vpxd.cfg file:

    • Windows default location: C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
    • vCenter Server Appliance default location: /etc/vmware-vpx/vpxd.cfg

  2. Create a backup copy of the file.

  3. Edit the file to add or remove "<ssloptions>16924672</ssloptions>" to enable or disable SSLv3 respectively:

    <vmacore>
    <cacheProperties>true</cacheProperties>
    <ssl>
    <useCompression>true</useCompression>
    <sslOptions>16924672</sslOptions>
    </ssl>
    <threadPool>
    <TaskMax>90</TaskMax>
    <threadNamePrefix>vpxd</threadNamePrefix>
    </threadPool>
    </vmacore>

  4. Save the file.

  5. Restart the vpxd Service.

  6. To disable SSLv3, make sure the "sslOptions" is not set in the vpxd.cfg file.
0 Kudos
Darkschneidr
Contributor
Contributor

I just added <sslOptions>16924672</sslOptions> to the config.xml, saved it, then ran "/etc/init.d/rhttpproxy restart"

Once it was done, I was able to connect again. I checked for updates, and all was current. I'm showing 3248547 on my updated machine only.

For me, that is the solution until I decide to put in vCenter 6. I don't plan on changing this until then.

0 Kudos
andreasjva
Contributor
Contributor

Yeah, I wish I had stuck with that approach.  I think I went too far.  I'm going to undo everything I did today except for that one change.  Did you update both hosts?

0 Kudos
Darkschneidr
Contributor
Contributor

I have 7 hosts in the cluster - it runs VDI hosting. I only updated the one until I know for sure that everything is ok with it. I don't plan on updating another host until January at the earliest.

0 Kudos
andreasjva
Contributor
Contributor

Thanks for the info.  I think I'll follow that same path. 

0 Kudos
MJoss
Contributor
Contributor

Thanks for posting.

I had this issue and it's worked for me.

0 Kudos